VYPR
Vendor

KDE

KDE is an international free software community that develops free and open-source software. As a central development hub, it provides tools and resources that enable collaborative work on its projects. Its products include the KDE Plasma graphical shell, KDE Frameworks, and the KDE Gear range of applications including Kate, digiKam, and Krita. Many KDE applications are cross-platform and can run on Unix and Unix-like operating systems as well as Microsoft Windows. KDE is legally represented by KDE e.V. based in Germany, which also owns the KDE trademarks and funds the project.

Founded 1996
Products
96
CVEs
223
Across products
250
Status
Private

Products

96
View all 96 products →

Recent CVEs

223
View all 223 CVEs →
  • CVE-2016-3100HigJul 13, 2016
    risk 0.55cvss 8.4epss 0.00

    kinit in KDE Frameworks before 5.23.0 uses weak permissions (644) for /tmp/xauth-xxx-_y, which allows local users to obtain X11 cookies of other users and consequently capture keystrokes and possibly gain privileges by reading the file.

  • CVE-2017-8422HigMay 17, 2017
    risk 0.54cvss 7.8epss 0.02

    KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to gain root privileges by spoofing a callerID and leveraging a privileged helper app.

  • CVE-2025-49091HigJun 11, 2025
    risk 0.53cvss 8.2epss 0.01

    KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this…

  • CVE-2016-7967HigDec 23, 2016
    risk 0.53cvss 8.1epss 0.02

    KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.

  • CVE-2018-10380HigMay 8, 2018
    risk 0.51cvss 7.8epss 0.00

    kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ownership of arbitrary files via a symlink attack.

  • CVE-2017-5330HigMar 27, 2017
    risk 0.51cvss 7.8epss 0.03

    ark before 16.12.1 might allow remote attackers to execute arbitrary code via an executable in an archive, related to associated applications.

  • CVE-2006-2916HigJun 15, 2006
    risk 0.51cvss 7.8epss 0.00

    artswrapper in aRts, when running setuid root on Linux 2.6.0 or later versions, does not check the return value of the setuid function call, which allows local users to gain root privileges by causing setuid to fail, which prevents artsd from dropping privileges.

  • CVE-2017-15923HigNov 15, 2017
    risk 0.49cvss 7.5epss 0.03

    Konversation 1.4.x, 1.5.x, 1.6.x, and 1.7.x before 1.7.3 allow remote attackers to cause a denial of service (crash) via vectors related to parsing of IRC color formatting codes.

  • CVE-2017-9604HigJun 13, 2017
    risk 0.49cvss 7.5epss 0.01

    KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the…

  • CVE-2016-6232HigAug 2, 2016
    risk 0.49cvss 7.5epss 0.04

    Directory traversal vulnerability in KArchive before 5.24, as used in KDE Frameworks, allows remote attackers to write to arbitrary files via a ../ (dot dot slash) in a filename in an archive file, related to KNewsstuff downloads.

  • CVE-2005-1920HigJul 26, 2005
    risk 0.49cvss 7.5epss 0.04

    The (1) Kate and (2) Kwrite applications in KDE KDE 3.2.x through 3.4.0 do not properly set the same permissions on the backup file as were set on the original file, which could allow local users and possibly remote attackers to obtain sensitive information.

  • CVE-2016-7966HigDec 23, 2016
    risk 0.48cvss 7.3epss 0.02

    Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available…

  • CVE-2023-52723HigApr 29, 2024
    risk 0.46cvss 7.1epss 0.01

    In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cleartext password in server logs because a username variable is accidentally given a password value.

  • CVE-2015-7543HigJul 25, 2017
    risk 0.46cvss 7.0epss 0.00

    aRts 1.5.10 and kdelibs3 3.5.10 and earlier do not properly create temporary directories, which allows local users to hijack the IPC by pre-creating the temporary directory.

  • CVE-2006-6811MedDec 29, 2006
    risk 0.46cvss 6.5epss 0.10

    KsIRC 1.3.12 allows remote attackers to cause a denial of service (crash) via a long PRIVMSG string when connecting to an Internet Relay Chat (IRC) server, which causes an assertion failure and results in a NULL pointer dereference. NOTE: this issue was originally reported as a…

  • CVE-2004-0689HigSep 28, 2004
    risk 0.46cvss 7.1epss 0.00

    KDE before 3.3.0 does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files.

  • CVE-2026-41527MedApr 21, 2026
    risk 0.45cvss 6.9epss 0.00

    KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.

  • CVE-2025-59820MedNov 26, 2025
    risk 0.44cvss 6.7epss 0.00

    In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number of pixels becomes negative.

  • CVE-2018-6791MedFeb 7, 2018
    risk 0.44cvss 6.8epss 0.01

    An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a…

  • CVE-2016-2312MedDec 23, 2016
    risk 0.44cvss 6.8epss 0.00

    Turning all screens off in Plasma-workspace and kscreenlocker while the lock screen is shown can result in the screen being unlocked when turning a screen on again.